Related

The June deadline is quickly approaching for cloud providers to prove their services meet federal security standards.

Meanwhile, agencies are being advised to inventory whether their cloud contractors have made the cut.

The deadline isn’t that far off considering it can take a company six months to complete the government’s security cloud program, known as FedRAMP. Cloud services in use at federal agencies must meet FedRAMP security requirements by June 5.

“If agencies have cloud providers that have not been accredited they should contact my office and ask if they are in the pipeline,” said Maria Roat with the General Services Administration. Roat, who serves as FedRAMP director, spoke last month at the Federal Cloud Computing Summit in Washington.

If those companies are not in the pipeline, agencies must decide whether they should work with cloud providers to get their services accredited through FedRAMP, Roat said. They can also have the company work directly with the FedRAMP office to get accredited.

It can take an agency about 4½ months to complete a FedRAMP review or six months for a company to undergo the process on its own, Roat said.

She suggested companies with a small federal footprint — one or two small agencies — consider working with those agencies directly to get FedRAMP approval for their products and services.

FedRAMP’s 298 security controls are based on National Institute of Standards and Technology guidelines that govern how agencies should secure their information technology systems. NIST updated those guidelines last year. Roat said there are plans for cloud providers under FedRAMP to transition to the new standards, but that’s largely dependent on where they are in the FedRAMP process.

The plan was to incorporate the new security standards into FedRAMP this month, but that likely won’t happen until around March because NIST has not yet released test cases, Roat said.

Roat said her office also worked with the Defense Information Systems Agency on its efforts to establish additional requirements above FedRAMP standards.

DoD spent the past 18 months trying to address how it will move DoD mission and data into commercial clouds, said Doug Gardner, DISA’s technical director for the Mission Assurance Executive.

“With unclassified and nonsensitive data, the basic controls that you get from somebody who has been through FedRAMP, for example, is really good enough,” Gardner said. “We’re only worried about integrity. The data is already releasable to the world.”